Export limit exceeded: 344809 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344809 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-70811 | 1 Ariefibis | 1 Phpbb3 | 2026-04-15 | 4.3 Medium |
| Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality. | ||||
| CVE-2025-70364 | 1 Kiamo | 1 Kiamo | 2026-04-15 | 8.8 High |
| An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. | ||||
| CVE-2026-30479 | 1 Mapserver | 1 Mapserver | 2026-04-15 | 9.1 Critical |
| A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable. | ||||
| CVE-2026-29923 | 1 Entechtaiwan | 1 Powerstrip | 2026-04-15 | 7.8 High |
| The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate privileges to SYSTEM via a crafted IOCTL request enabling unprivileged users to map arbitrary physical memory into their address space and modify critical kernel structures. | ||||
| CVE-2026-31170 | 1 Totolink | 1 A3300r | 2026-04-15 | 9.8 Critical |
| An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi. | ||||
| CVE-2025-62718 | 1 Axios | 1 Axios | 2026-04-15 | 9.9 Critical |
| Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0. | ||||
| CVE-2026-34578 | 1 Opnsense | 2 Core, Opnsense | 2026-04-15 | 8.2 High |
| OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6. | ||||
| CVE-2026-5441 | 2 Orthanc, Orthanc-server | 2 Dicom Server, Orthanc | 2026-04-15 | 7.1 High |
| An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output. | ||||
| CVE-2026-5444 | 2 Orthanc, Orthanc-server | 2 Dicom Server, Orthanc | 2026-04-15 | 7.1 High |
| A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing. | ||||
| CVE-2026-5445 | 2 Orthanc, Orthanc-server | 2 Dicom Server, Orthanc | 2026-04-15 | 9.1 Critical |
| An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image. | ||||
| CVE-2026-5443 | 2 Orthanc, Orthanc-server | 2 Dicom Server, Orthanc | 2026-04-15 | 9.8 Critical |
| A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers. | ||||
| CVE-2026-5442 | 2 Orthanc, Orthanc-server | 2 Dicom Server, Orthanc | 2026-04-15 | 9.8 Critical |
| A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding. | ||||
| CVE-2026-5440 | 2 Orthanc, Orthanc-server | 2 Dicom Server, Orthanc | 2026-04-15 | 7.5 High |
| A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body. | ||||
| CVE-2026-5438 | 1 Orthanc | 1 Dicom Server | 2026-04-15 | 7.5 High |
| A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory. | ||||
| CVE-2026-5437 | 1 Orthanc | 1 Dicom Server | 2026-04-15 | 7.5 High |
| An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic. | ||||
| CVE-2026-5439 | 1 Orthanc | 1 Dicom Server | 2026-04-15 | 7.5 High |
| A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction. | ||||
| CVE-2026-35041 | 1 Nearform | 1 Fast-jwt | 2026-04-15 | 4.2 Medium |
| fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1. | ||||
| CVE-2026-39942 | 2 Directus, Monospace | 2 Directus, Directus | 2026-04-15 | 8.5 High |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0. | ||||
| CVE-2026-39943 | 2 Directus, Monospace | 2 Directus, Directus | 2026-04-15 | 6.5 Medium |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0. | ||||
| CVE-2026-39983 | 1 Patrickjuchli | 1 Basic-ftp | 2026-04-15 | 8.6 High |
| basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1. | ||||